Re: Uptick in spam

[Octavio Alvarez <octalnanog () alvarezp org>]

On 27/10/15 05:40, Jutta Zalud wrote:
> > > But it is originating all from different IP addresses. Who knows if this
> > > is an attack to get *@jdlabs.fr blocked from NANOG and is just getting
> > > its goal accomplished.
> >
> > This is the part that's been bugging me.  Doesn't the NANOG server
> > implement SPF checking on inbound list mail?  jdlabs.fr doesn't appear to
> > have an SPF record published.  It seems to me that these messages should
> > have been dropped during the connection.

Well... an empty record is pretty much the same as "?all" anyway. The
correct interpretation from the receiving MTA is "The SPF (if it exists)
doesn't say if this is spam or not".

This could, of course, vary from implementation to implementation.

> If it does (which I don't know), it will probably check the SPF record
> of the delivering mailserver, which was not *.jdlabs.fr as far as I can
> see from the mailheaders.

And also, most of the MX records end in ~all or ?all anyway, and ?all is
the default if no "all" is defined, and the lack of jdlabs.fr SPF record
is the equivalent of being defined as "?all".

I now wonder if there is *really* a case for the ~ and ? operators in
SPF and if we could deprecate ?all and ~all, and change the default to
-all, by RFC. This would be just to make SPF useful. In its current
state it asserts nothing, and --by its definition-- it forces no work
from anybody.

Best regards.